MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee97743cdb423fc71707bb9ccdf5a41b77d97ab0ca8dc51a493f25a6a492717f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 18


Intelligence 18 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee97743cdb423fc71707bb9ccdf5a41b77d97ab0ca8dc51a493f25a6a492717f
SHA3-384 hash: a59d1cb6c8a3ad36606979116a989c3e3851dbdeb8188895953c35c26d017645ab343a1c35991695a3ac89a5b1e07f32
SHA1 hash: d630f7b636157d4c371f729cb056a085d5e014f1
MD5 hash: 10162f3f3e7179fdfc0b58e51891d859
humanhash: friend-pizza-yankee-sodium
File name:random.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:2'130'944 bytes
First seen:2025-04-24 12:50:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:ZU75CEpVYtP79LOk1FIhEml0FzJGHVKEUOh8MPtkb2YblQX9:aVYtj1OkAhJl0u8nytcrqX
Threatray 76 similar samples on MalwareBazaar
TLSH T15DA5231BF7D80036D0A45B314DBA06C307357F819674939A668B5CAE4AA3B74BE703A7
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
432
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
https://bazaar.abuse.ch/download/ee97743cdb423fc71707bb9ccdf5a41b77d97ab0ca8dc51a493f25a6a492717f/
Verdict:
Malicious activity
Analysis date:
2025-04-24 19:26:30 UTC
Tags:
arch-exec lumma stealer amadey botnet loader telegram credentialflusher putty rmm-tool phishing evasion auto generic gcleaner pastebin arch-doc rdp upatre themida povertystealer lumar exfiltration redline metastealer miner delphi
Link:
https://app.any.run/tasks/1e778e74-0d9c-4238-91fc-913398aa015c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/3858/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=680a35fda37ff28e12993025
Tags:
vmdetect autorun autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Creating a file
Creating a window
Searching for synchronization primitives
Searching for analyzing tools
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Connection attempt
Sending an HTTP POST request
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
amadey amadey CAB entropy explorer fingerprint installer lolbin lolbin microsoft_visual_cc netsh packed packed packed packer_detected rat rundll32 runonce sfx stealer virtual wmic
Link:
https://www.filescan.io/uploads/680a338a833df795debc5ccc/reports/662dce1d-1302-4ce3-b678-cddfda637cc0/overview
Verdict:
Malicious
Labled as:
Crifi.Generic
Link:
https://www.hybrid-analysis.com/sample/ee97743cdb423fc71707bb9ccdf5a41b77d97ab0ca8dc51a493f25a6a492717f
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5f599564-6cb1-4fa4-b260-27f6fd068481
Result
Threat name:
Amadey, Go Stealer, LummaC Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1673079
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Drops password protected ZIP file
Drops PE files to the document folder of the user
Drops PE files with benign system names
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies the context of a thread in another process (thread injection)
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Capture Wi-Fi password
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Costura Assembly Loader
Yara detected Go Stealer
Yara detected LummaC Stealer
Yara detected PersistenceViaHiddenTask
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1673079 Sample: random.exe Startdate: 24/04/2025 Architecture: WINDOWS Score: 100 97 pomelohgj.top 2->97 99 latitudert.live 2->99 101 24 other IPs or domains 2->101 129 Suricata IDS alerts for network traffic 2->129 131 Found malware configuration 2->131 133 Antivirus detection for dropped file 2->133 135 28 other signatures 2->135 9 saved.exe 4 54 2->9         started        14 random.exe 1 4 2->14         started        16 msiexec.exe 2->16         started        18 7 other processes 2->18 signatures3 process4 dnsIp5 117 185.39.17.163, 49693, 49695, 49702 RU-TAGNET-ASRU Russian Federation 9->117 119 185.39.17.162, 49698, 49705, 49709 RU-TAGNET-ASRU Russian Federation 9->119 79 C:\Users\user\AppData\Local\...\8l6cDbq.exe, PE32 9->79 dropped 81 C:\Users\user\AppData\Local\...\LNHCtPX.exe, PE32+ 9->81 dropped 93 21 other malicious files 9->93 dropped 185 Contains functionality to start a terminal service 9->185 20 kc5itBk.exe 9->20         started        25 47Q6wZM.exe 9->25         started        27 LNHCtPX.exe 9->27         started        37 12 other processes 9->37 83 C:\Users\user\AppData\Local\...\2s2895.exe, PE32 14->83 dropped 85 C:\Users\user\AppData\Local\...\1L25e8.exe, PE32 14->85 dropped 29 2s2895.exe 1 14->29         started        31 1L25e8.exe 4 14->31         started        87 C:\Windows\Installer\MSI561B.tmp, PE32 16->87 dropped 89 C:\Windows\Installer\MSI552F.tmp, PE32 16->89 dropped 91 C:\Windows\Installer\MSI53E6.tmp, PE32 16->91 dropped 95 24 other malicious files 16->95 dropped 187 Drops PE files with benign system names 16->187 33 msiexec.exe 16->33         started        189 Multi AV Scanner detection for dropped file 18->189 191 Writes to foreign memory regions 18->191 193 Modifies the context of a thread in another process (thread injection) 18->193 195 Injects a PE file into a foreign processes 18->195 35 AddInUtil.exe 18->35         started        39 4 other processes 18->39 file6 signatures7 process8 dnsIp9 103 ip-api.com 208.95.112.1, 49713, 80 TUT-ASUS United States 20->103 105 api.csgoguide.org 172.67.192.193, 443, 49716 CLOUDFLARENETUS United States 20->105 71 C:\Users\user\...\SecurityHealthSystray.exe, PE32+ 20->71 dropped 137 Multi AV Scanner detection for dropped file 20->137 155 8 other signatures 20->155 58 7 other processes 20->58 157 3 other signatures 25->157 41 MSBuild.exe 25->41         started        45 MSBuild.exe 27->45         started        107 clarmodq.top 172.67.205.184, 443, 49692, 49694 CLOUDFLARENETUS United States 29->107 73 C:\Users\user\...\X66QWYKM5605CU221U2OHCU.exe, PE32 29->73 dropped 139 Antivirus detection for dropped file 29->139 141 Detected unpacking (changes PE section rights) 29->141 143 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 29->143 159 6 other signatures 29->159 47 X66QWYKM5605CU221U2OHCU.exe 29->47         started        75 C:\Users\user\AppData\Local\...\saved.exe, PE32 31->75 dropped 161 2 other signatures 31->161 49 saved.exe 31->49         started        109 185.196.11.30 SIMPLECARRIERCH Switzerland 35->109 145 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 35->145 111 185.244.212.106 M247GB Romania 37->111 113 pomelohgj.top 172.67.171.157, 443, 49700, 49703 CLOUDFLARENETUS United States 37->113 115 steamcommunity.com 23.52.218.12 TelecentroSAAR United States 37->115 77 C:\Users\user\Documents\...\0000013d0029.exe, PE32+ 37->77 dropped 147 Suspicious powershell command line found 37->147 149 Query firmware table information (likely to detect VMs) 37->149 151 Drops PE files to the document folder of the user 37->151 153 Tries to detect sandboxes and other dynamic analysis tools (window names) 37->153 51 0000013d0029.exe 37->51         started        54 cmd.exe 37->54         started        56 powershell.exe 37->56         started        60 4 other processes 37->60 file10 signatures11 process12 dnsIp13 121 climatologfy.top 104.21.80.1 CLOUDFLARENETUS United States 41->121 163 Query firmware table information (likely to detect VMs) 41->163 165 Tries to harvest and steal ftp login credentials 41->165 167 Tries to harvest and steal browser information (history, passwords, etc) 41->167 169 Tries to steal from password manager 41->169 123 geographys.run 172.67.212.67, 443, 49720, 49721 CLOUDFLARENETUS United States 45->123 171 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 45->171 173 Tries to steal Crypto Currency Wallets 45->173 175 Multi AV Scanner detection for dropped file 49->175 177 Contains functionality to start a terminal service 49->177 69 C:\Users\user\AppData\Roaming\...\Source.exe, PE32+ 51->69 dropped 179 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 51->179 181 Suspicious powershell command line found 54->181 62 powershell.exe 54->62         started        183 Loading BitLocker PowerShell Module 56->183 65 conhost.exe 56->65         started        67 conhost.exe 60->67         started        file14 signatures15 process16 dnsIp17 125 github.com 140.82.114.4 GITHUBUS United States 62->125 127 raw.githubusercontent.com 185.199.108.133 FASTLYUS Netherlands 62->127
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ee97743cdb423fc71707bb9ccdf5a41b77d97ab0ca8dc51a493f25a6a492717f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee97743cdb423fc71707bb9ccdf5a41b77d97ab0ca8dc51a493f25a6a492717f/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2025-04-24 12:51:17 UTC
File Type:
PE (Exe)
Extracted files:
39
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=52lxipg3ii74ofyhxoom35nedn35s6vqzkg4kgsjh4s2njesof7q._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
lummastealer
Create hunting rule
skuldstealer
Create hunting rule
Similar samples:
296497459462840bf9e8874e312088c4a85aae75d460d0d5bcc75a9d582343eb
Amadey
3cd1d9ec98d9199c17a59e2f71d77f0aa6950e8829c490083700d0ec62b3d865
Amadey
843f3d0d360a92fd9312599bc26b17c632684b74e6e850e5bcbc0d2f5e73b9bf
Amadey
8b0b20727462c5f3d5a4ace630d9690528dcefa79407480db3abde2455f700d8
Amadey
ae308ae3eaf5742f55203a3275e69f653701ede47843eec48b9c6d06d9ec22f4
Amadey
cb584a4faa3cbf7e45b503710f3d60ea9a5a5767f56a63a64ce39fb52a6718df
Amadey
cd89f99567dd598809fa2055774b7f18fc3676c6547f0d3083e192f119b2cf14
Amadey
ee97743cdb423fc71707bb9ccdf5a41b77d97ab0ca8dc51a493f25a6a492717f
Amadey
error
Amadey
ff052d1ed5c43bf2024119b2971ea7cab677dc808317e258ffebcd3ce73c1936
Amadey
+ 66 additional samples on MalwareBazaar
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma botnet:f272e9 defense_evasion discovery persistence spyware stealer trojan
Link:
https://tria.ge/reports/250424-p227ps1tgt/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
http://185.39.17.163
https://clarmodq.top/qoxo
https://geographys.run/eirq
https://woodpeckersd.run/glsk
https://ltropiscbs.live/iuwxx
https://cartograhphy.top/ixau
https://rbiosphxere.digital/tqoa
https://topographky.top/xlak
https://climatologfy.top/kbud
https://vigorbridgoe.top/banb
Verdict:
Malicious
Tags:
stealer redline
YARA:
win_redline_wextract_hunting_oct_2023
Link:
https://app.threat.zone/submission/549cc967-ec37-4a16-981f-c809f92e4ead
Unpacked files
SH256 hash:
ee97743cdb423fc71707bb9ccdf5a41b77d97ab0ca8dc51a493f25a6a492717f
MD5 hash:
10162f3f3e7179fdfc0b58e51891d859
SHA1 hash:
d630f7b636157d4c371f729cb056a085d5e014f1
Link:
https://www.unpac.me/results/e4a52d8e-c3e4-4f69-90ef-a1ff3e049ef4/
SH256 hash:
1befa1e86136e4b8d81204d1d6c400ac11910b2b9c7985b1c916599a0aba70e4
MD5 hash:
d79fff96e8cd44ed8906b9d5905b3a5f
SHA1 hash:
c38728743a56fe03481436a2c64ec51ff2ededd8
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/e4a52d8e-c3e4-4f69-90ef-a1ff3e049ef4/
SH256 hash:
f3943a3498ecf169f684144032bb3075969048ce9ff4d5717e7b404087b6db2e
MD5 hash:
1e836a8c23f71274777099ce6adfc6a8
SHA1 hash:
6a9c410f5a9b4069a1019ad1b6d0f5e064071b60
Link:
https://www.unpac.me/results/e4a52d8e-c3e4-4f69-90ef-a1ff3e049ef4/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ee97743cdb42/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ee97743cdb423fc71707bb9ccdf5a41b77d97ab0ca8dc51a493f25a6a492717f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe ee97743cdb423fc71707bb9ccdf5a41b77d97ab0ca8dc51a493f25a6a492717f

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/3858/
  
URLhaus
https://urlhaus.abuse.ch/url/3519133/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3518517/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments